Privacystatement Coronavirus testing

Testing for the coronavirus and communicating the results

It is important that we properly secure your data. We are careful with it, and we comply with laws such as the General Data Protection Regulation (GDPR).

Who works with your personal data?

At the GGD GHOR Nederland, we ask you to give us some personal data for the coronavirus test. We use and keep this data. We must do this as stated by law. This means that we handle your personal data carefully and securely. We also need to let you know what data we have about you, what we do with it and who works with it.

We share your data with the following organizations:

• The GGD: Local GGD departments and GGD doctors (called the GGD in this document)
• GGD GHOR Nederland
• The laboratory that works with your coronavirus test
• The IT provider (Topicus) of CoronIT and its sub-processors
• Teleperformance call centre

Did you make an appointment for a coronavirus test through the call centre, the coronatest website or a doctor? Then your personal data will be transferred to CoronIT. CoronIT is the administration system for the test process and communication. It lets the GGDs see whose test result it is. Normally, the GGD GHOR cannot see this unless there is a problem that our Service Desk needs to solve. Then they will be allowed to see this data.

What happens to your personal data?

We use your personal data to be able to run a coronavirus test. We also use it to tell the GGD and you about the test result. Would you like to know which personal data we ask for? And what else we use it for? Please take a look at the section below called What else do we use your personal data for?

Here is a brief description of what happens to your personal data.

You get symptoms that could be related to the coronavirus, such as coughing, a fever, tightness in the chest, a sore throat, or a lower ability to smell or taste. You therefore decide that you want to be tested
You register for a test through the coronatest website. You then choose from three possible times. You can also call the call centre to make an appointment. The call centre may tell you to contact the GGD. If a doctor thinks you need a coronavirus test, they will make the appointment for you.
You get the coronavirus test. Your test goes to a laboratory for examination.
You can see the result of the test on the coronatest website. Or you might receive a phone call to tell you the result. The GGD will contact you if the result is positive and you are infected with the coronavirus.
Do you have the coronavirus? Then the GGD will talk with you about the next steps. For example, you might have to stay at home for a while. And you might not be allowed to have contact with other people. This is called quarantine. They will also look into who you have been in contact with and how you got the infection. This is called the source and contact investigation.

See below for more information about all of the steps.

STEP 1: You sign up for a test

There are various ways to make an appointment:

You can make an appointment in 3 ways:

Through the coronatest website.
Through the call centre.
Through a company doctor.

1. Signing up through the coronatest website

You can go to the coronatest website and tell us which symptoms you have. If you have symptoms that are related to the coronavirus, we will ask you a number of questions. For example: have you been in contact with people who were infected with the coronavirus?

You can then log in with your DigiD and choose a date, time and test location. We will also ask you for your phone number and email address. That way, we can send you confirmation and contact you if needed. You will receive confirmation of your test appointment by e-mail and SMS

2. Signing up through the call centre

You can call the call centre to make an appointment. The employee at the call centre will register your personal data. Then they will make an appointment for your coronavirus test. You will receive confirmation of your test appointment by e-mail and SMS.

3. Signing up through a company doctor

A doctor may check to see whether you need a coronavirus test. If you do, they will register your personal data. They will then schedule an appointment for your coronavirus test. You will receive confirmation of your test appointment by e-mail and SMS.

STEP 2: You take the test

The GGD does the coronavirus test. First, they look up your personal data in their administration system. Then they make sure that this data is linked to the test tube with your test and the barcode on it.

A GGD employee will do the test for you. They will put a cotton swab with cells from your nose and throat into the test tube.

STEP 3: Your test goes to the laboratory

The test tube is placed in safe packaging. A courier then takes the test tube to a laboratory.

STEP 4: They analyze your test

The laboratory will then analyze the coronavirus test. The result of this test might be:

Positive: you are infected with the coronavirus.
Negative: you are not infected with the coronavirus.
Doubt. The test is not clear.

The laboratory will enter the result in the administration system.

STEP 5: You get the result

The laboratory will tell the administration system which result belongs to which barcode. This links the barcode back to your personal data. Then you will find out the result. This can be done in the following ways:

A doctor, the GGD or a call centre employee will contact you and tell you the result.
You will receive an email that your result is ready and you can see it in the coronatest website.

The GGD will contact you if the result is positive and you have the coronavirus. The GGD will also talk about the next steps with you.

What else do we use your personal data for?

It is important that we know how many infections there are in the Netherlands and how many tests have been done. We use your data to find this out, but in a general, anonymous way. This means that we don’t see any of your personal data in the information. Your data might also be used for scientific research. This is also done anonymously, and it follows the rules that apply to scientific research.

We will ask you for your permission if we want to record your telephone conversation with a call centre employee. We will only record the conversation if you give us this permission. We use these recordings to help improve our work.

We do not use your personal data for anything else. Just the things we have explained above.

What personal data do we use?

We need your personal data to run the coronavirus test properly. And to let you know the result.

These are the types of personal data we need from you:

Your first and last name
Your address, or the address you use when you are not at home. For instance, this might be your address while you are on vacation.
Your date of birth
Whether you are male or female, or another gender term
Your Citizen Service Number (BSN)
Your phone number
Your e-mail address
Your symptoms
Your test tube barcode
The result of your coronavirus test
Perhaps the name of the doctor asking for the test
Whether you have had direct contact with others
Whether you have worked, and if so, in which type of job you work

You log in to the coronatest website with your DigiD. This will help you safely make your appointment. It will also let us know who is making the appointment. We will not be able to see your DigiD username or password.

Priority line

Do you work in education or healthcare and can you make an appointment through the priority line? If so, we would like to ask for some extra information to verify this. This may include an AGB code or a BRIN number. If you don’t have the verification information we need, you will need to use 0800-1202 or make an appointment online.

What laws apply to the way we use your personal data?

The General Data Protection Regulation (GDPR) states that we can only use your personal data if we have certain reasons. These are called ‘valid’ reasons. The GDPR states that these valid reasons are: consent, agreement, legal obligation, vital interest, public task / public interest or legitimate interest.

We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The GGD is also required by law to record, check and follow up on data for these types of diseases. We have to report our test results to the National Health Institute (RIVM). This is stated in the Wet publieke gezondheid (translated here as Public Health Act).

The laws that apply here are:

Wet publieke gezondheid (translated here as Public Health Act), Article 6, paragraphs 2 and 4.
Besluit publieke gezondheid (translated here as Public Health Decree), Article 11, paragraph 1.

We will only record the conversation with the call centre employee if you give us permission. We will ask you this before the conversation starts. The law that applies is GDPR Article 6, paragraph 1a and Article 9, paragraph 2a.

How long do we keep your personal data?

We keep your personal data for a maximum of five years. This is allowed by the Wet publieke gezondheid (translated here as Public Health Act). After this time, we destroy the data or make it anonymous.

During the corona test, an employee will use a cotton swab to remove cells from your nose and throat. This cotton swab is sent to a laboratory to be tested. How long the laboratory keeps the cotton swab depends on the result of the test:

You don’t have corona? The laboratory will destroy the sample from your test within a few days.
You do have corona? Then the laboratory can keep the sample from your test for 3 months. The laboratory uses your test to see how the virus is spreading.

We do not collect your DNA.

We will ask for your permission if we want to keep your personal data longer. The only time we wouldn’t ask you this is if we need to keep it longer because of another law.

We keep recordings of conversations with the call centre for 14 days. We use them to check the quality of our work and handle complaints. We delete the recordings after 14 days. Sometimes, there is a complaint or problem related to the recording. If this happens within the 14 days, then we keep the recording until we have dealt with the complaint or solved the problem.

How do we protect your personal data?

We think it is important to keep your personal data safe. Therefore, we make agreements with the people and organizations that process the data for us. The agreements say what they can do with your data for us.

What else do we do?

We also:

Make sure that we work with secure systems. We test this, or have it tested for us.
Make sure employees who work with your personal data know what they can and cannot do with the data. They must keep the personal data confidential.
Make sure that we work according to a fixed procedure. We also follow the laws and regulations about personal data.

What are your rights?

These are your rights under the law:

You have the right to receive correct information about what happens with your personal data.
You have the right to see your personal data. You can get a copy of this data.
If your details aren’t right, you can ask us to correct them.
In some cases, you can ask us to delete your personal data.
In some cases, you can object to the use of your personal data.

You can contact the GGD that performed your test for all of these situations.

Do you have questions or complaints about the use of your personal data?

Do you have questions or complaints about the use of your personal data? Please contact the Data Protection Officer at the GGD that performed your test. Every GGD has a Privacy Statement. This states who the Officer is.

Appendix 1 lists the website addresses for all GGDs.

You can also report a complaint to GGD GHOR Nederland. You can do this by sending your complaint to the GGD GHOR Nederland’s Data Protection Officer. The email address is fg@ggdghor.nl.

What can you do if you don’t agree with the outcome or the way we handled your complaint? Then you can send a complaint to the Dutch Data Protection Authority. You can do this at this website: https://autoriteitpersoonsgegevens.nl/nl/vvoor-u-een-klacht-indient